Top 5 Docker Security Vulnerabilities
2022年10月31日
0 分で読めますWhat is a Docker vulnerability?
A Docker vulnerability is any weakness within an image, container, or host that could potentially be exploited. When these vulnerabilities are discovered and publicly disclosed, they’re added to the Common Vulnerabilities and Exposures (CVE) list. In addition, the Common Vulnerability Scoring System (CVSS) publishes information about the severity of each vulnerability on the CVE List.
Top 5 Docker vulnerabilities that you need to know about
Here are the top five Docker vulnerabilities or CVEs development teams should watch out for.
1. CVE-2019-5736: RUNC CONTAINER BREAKOUT VULNERABILITY
There is a Docker vulnerability where it’s possible to overwrite the host `runc` binary and obtain root access on the host. When malicious actors have root access, they can escalate their privileges and stage devastating attacks. Fixing CVE-2019-5736 requires upgrading `container-common` for Docker instances running on Oracle Linux 8.
2. CVE-2022-0847: DIRTY PIPE
Another vulnerability due to improper initialization is CVE-2022-0847. Dubbed the “dirty pipe” by the security community, this flaw within the kernel pipeline implementation enables a malicious actor to change the content of files that they don’t have permission to change, and then escalate their privileges. Fixing this issue requires upgrading all Linux hosts to patched versions.
3. CVE-2021-21285: UNCONTROLLED RESOURCE CONSUMPTION
In older versions of Docker, there is a vulnerability where pulling a malformed Docker image manifest crashes the Docker daemon running on the host system. Fixing CVE-2021-21285 involves upgrading to a patched version of Docker, which prevents the daemon from crashing due to uncontrolled resource consumption.
4. CVE-2014-9356: DIRECTORY TRAVERSAL
CVE-2015-9356 is a directory traversal vulnerability affecting Docker version 1.3.3. A directory traversal (or path traversal) attack is a way to access files that shouldn’t be accessible by third parties — files that could contain application code or sensitive information. Upgrading to a patched version of Docker can ensure remote attackers won’t be able to exploit the path traversal vulnerability to bypass a container protection mechanism.
5. CVE-2019-14271: IMPROPER INITIALIZATION
In certain Docker versions, there’s a potential code injection vulnerability when the `nsswitch` (name service switch) dynamically loads a library inside a `chroot` (change root) operation that contains the contents of the container. In a code injection attack, an application executes unauthorized code from a malicious actor. Fixing CVE-2019-14271 requires upgrading the Docker CLI for Docker instances running on Oracle Linux 7.
For more information about other Docker vulnerabilities, see the Docker Top 10 vulnerabilities list published by the Open Web Application Security Project (OWASP).
Best practices to reduce Docker vulnerabilities
Although container security is a broad topic, there are a few best practices that can dramatically reduce Docker vulnerabilities. For example, leveraging automated tools to secure the container image, everything inside the container, and the runtime environment in which the container is deployed are effective tactics to increase container security. Learn more about Docker Security here.
Container scanning is an automated approach for detecting vulnerabilities within various components of containerized applications or workloads. These components include the software inside the container, how the container interacts with the host system and other containers, the configurations for networking and storage, and more.
Most container scanning tools leverage a vulnerability database as a trusted source of information about publicly disclosed security vulnerabilities. For example, Snyk’s Vulnerability Database enriches the CVE List and other public vulnerability sources with actionable insights. By including additional information for each Docker CVE, Snyk’s vulnDB enables developers to more easily remediate Docker security issues.
In addition to container scanning, container monitoring is the practice of tracking metrics about the health of containerized applications and workloads, as well as tracking potential exposure to any newly discovered vulnerabilities that may be present in running workloads. This ensures everything is working properly, and could even help reveal potential vulnerabilities, like uncontrolled resource consumption. Container scanning and container monitoring tools complement each other, protecting during the build stage and beyond.
Check out our cheat sheet for an in-depth list of Docker security best practices.
Docker security scanning with Snyk
Snyk offers comprehensive vulnerability scanning for all the components of modern applications, from the source code and open source dependencies to the containers and infrastructure as code configurations. That means Snyk can secure a Docker container image, the code and dependencies it contains, and the configurations used to deploy it.
As adoption for Docker grows, the partnership between Snyk and Docker continues to expand as well – and this is reflected in the Docker vulnerability scanning capabilities of Snyk. In fact, the `docker scan` command within the Docker Desktop CLI is powered by the Snyk platform. With Snyk and Docker together, development teams can build and deploy containers quickly and safely.
You can also learn more about container security and Docker with our 3 steps to container image security, produced with Docker.
Docker Vulnerabilities FAQs
Is Docker a secure platform?
The Docker platform itself isn’t inherently secure or insecure. While containers may be isolated from other processes on a host, additional security measures are still crucial to prevent container breakout and other types of vulnerabilities. An effective container security strategy for building and deploying containers is the best way to reduce the risk of a vulnerability, and in turn, an attack. Just like any other technology platform, following security best practices is the key to mitigating potential threats.
Are Docker images encrypted?
Docker images are not encrypted by default, but it is possible to utilize digital signatures to ensure the integrity of an image. Publishers can sign their image using the Docker Notary tool when they push images to a registry. By verifying the signature using Docker Content Trust, developers can trust that the images they pull or deploy from an image registry are the originals and haven’t been modified by a malicious actor.
What is “container breakout”?
Container breakout is a situation where a malicious actor is able to escape the isolation of a container and access host resources. Once a malicious actor has gained root access on the host, they can escalate their privileges and stage further attacks. A Docker security scanning tool can detect container breakout vulnerabilities (and other types of vulnerabilities) so that developers can patch them before they’re exploited.